NHS cybersecurity needs to be a qualified success

A freedom of information request which revealed a lack of cyber and information governance training may be something of a red herring. But that doesn’t mean there isn’t valuable work to be done on creating a cyber-qualified NHS IT workforce, our expert columnist Davey Winder argues.

When a freedom of information request last year revealed one in four NHS trusts had precisely zero staff with cyber qualifications and on average trusts only had one qualified security professional per 2,582 employees, there was something of media feeding frenzy.

This was an understandable reaction given that cyber remains something of an exposed nerve nearly two years on from the WannaCry ransomware attack that hit NHS services so badly.

Am I surprised that only 12% of trusts had hit the mandatory NHS Digital information governance target that 95% of staff must pass that training every 12 months? Nope. Given the resource shortage heat that the NHS continues to feel, and only a quarter of trusts had trained less than 80% of their staff (remembering that there’s no requirement for the 95% target to be maintained across the full year of course), I’m inclined to think it’s something of a red herring as far as security posturing is concerned.

Ditto the variation in security training spend from trust to trust: from £238 to £78,000 across the year. Let’s not forget that most training is done in-house anyway, much using the resources provided by NHS Digital.

And there’s a perfectly reasonable debate to be had as to whether information governance training has any real meaning when it comes to benchmarking data security for the NHS anyway.

An impressionistic or photo-realistic portrait?

Sure, user awareness paints part of the picture but it’s more an impressionistic landscape than a photo-realistic portrait if you ask me. Nobody did ask me, but a couple of months ago I gave my opinion anyway on the importance of awareness training when I argued it should be a mandatory part of every staff on-boarding programme.

But in my never-humble opinion, a fish of a different colour can be found if we turn our attention to the training and qualifications of cybersecurity professionals within NHS IT teams. The skills gap is much talked about when it comes to cybersecurity, with security operation centres struggling to find qualified and experienced analysts to fill the vacancies they have.

And that’s in the private sector, mind, not the cash-strapped NHS. What we should really be talking about is the remuneration gap. Put to one side, for a moment, the comparative value of, say, nurses and office staff in the healthcare budget and consider the bigger picture.

Are we all in this together?

David Cameron was once fond of saying we are all in this together. While I suspect he was being just a tad disingenuous at the time, I do think that phrase applies to the NHS. Public service healthcare is an organic entity and all constituent parts are vital to the successful growth of the whole.

Where am I going with this? Good question, and the answer is down the road of arguing there must be proper investment in the people as well as processes that deliver cybersecurity within the NHS or patient care will ultimately suffer. We saw that with WannaCry when operations were cancelled, by way of just one example.

A cyber-safe NHS – and while I may be a fool, I’m not fool enough to suggest you can ever have a 100% cyber-secure NHS – is only achievable through that investment in people. That means recruiting appropriately qualified staff to lead from within, and establishing mandatory (and, crucially, properly funded) qualification and accreditation routes for those already on the payroll.

Not a silver bullet, but a step in the right direction

This isn’t a silver bullet. I know that, and you know that. But it is a step in the right direction. Ignore that accreditation can be a meaningful measure of security assurance and I fear the NHS will find itself lost in an ever-evolving, always changing, increasingly hostile threatscape.

Usually I get accused of over-dramatising the role of cybersecurity within organisations, but for once it really could be a literal matter of life and death.

Accountability comes through professionalism, which comes through standards and accreditation, which revolves around training, which needs money.

I fear we are back where we started for this column, but I’d love to think that if that FOI request was repeated in 18 months’ time the outlook might be a brighter one. I’m hopeful that the notion of certification, accreditation and qualification as a tool in the cybersecurity box – given that it offers a return on investment through reduced exposure to risk – will start being more readily accepted by the hands that hold the purse-strings given that it offers a reduced exposure to risk.